Ransomware, Threat Management, Data Security

Risk to patient safety from cyberattacks critical, even as specifics about direct links remain elusive

Share
Clinicians care for COVID-19 patients in a makeshift ICU (Intensive Care Unit) at Harbor-UCLA Medical Center on Jan. 21, 2021, in Torrance, Calif. Patient safety is a concern when health systems suffer a cyberattack. (Photo by Mario Tama/Getty Images)

Critical attacks against health care thrived in the last year. Now, as patient volumes continue to surge in some parts of the country, safety concerns grow increasingly dire.

And yet, say experts, specific data that clearly demonstrates the impact of cyberattacks on patient care remains elusive. This reality, in fact, further complicates an already complex effort among health care providers to establish technology plans and processes that put patient safety and care first.

“Organizations began to understand that it’s not just about protecting data [in the last 18 months]. It’s much more about protecting the service availability and patient safety," said Leon Lerman, Cynerio CEO and co-founder. In turn that risk became "more of a board-level discussion. And COVID proved that this is indeed a patient safety issue.”

Indeed, critical conversations have driven awareness around the imminent need to prioritize security of endpoints and reducing the risk to the enterprise, with a great deal of focus on maintaining operations after a cyberattack. And while hospital finances are a critical point amid a pandemic, the risk to patient safety is perhaps even more critical.

Take, for example, the cyberattack and monthlong electronic health record downtime at Scripps Health in May. The recovery costs and lost revenue totaled a whopping $112.7 million, a staggering amount to be sure. But what about the impact to patients that were diverted to nearby hospitals or who faced extended wait times when arriving at the impacted hospitals? Firsthand accounts showed that area hospitals were faced with overcrowded emergency rooms and struggled to keep pace with the influx of patients.

Similarly, the Memorial Health cyberattack in mid-August resulted in both care diversions and cancellations of urgent surgeries and radiology exams for a number of days.

SC Media spoke to experts in health care security to dissect the challenges, and define best practices to ensure patient care doesn't get lost amid efforts to avoid downtime and data breaches.

Quantifying people risk

However, as industry stakeholders have noted, it’s difficult to measure the impact to patient safety, due to the complexity of the factors driving risks. 

In September 2020, multiple reports “confirmed” a female patient in Dusseldorf, Germany, died due to an ongoing ransomware attack and network outage at the hospital where she was scheduled to undergo critical care. When the hospital determined the security incident would inhibit their ability to provide her treatment, the patient was sent 19 miles away to a nearby hospital.

Police promptly launched a “negligent homicide” investigation, for which the hackers would have been held responsible, according to BBC reporting, at the time. However, the investigation found prosecutors were unable to establish the legal causation required to rule that the ransomware was behind the death.

Data and specifics are elusive, but firsthand accounts shine a light on care challenges brought on by paper and pen processes. And a lot of patients who experience the long wait times, prescribing mistakes, and other care challenges brought on by outages are more than concerned by these issues.

The WannaCry attack in 2017 is a prime example of how cyberattacks and outages impact care. The National Health Service in England and Scotland reported that 45 care sites went down in the attack, resulting in canceled appointments, emergency care diversions, and a host of concerns from patients and the providers responsible for their care.

One NHS provider told a local news outlet that he was unable to look after patients properly, and despite officials telling the public patient safety was unaffected, “it wasn’t true.”

“At my hospital we are literally unable to do any X-rays, which are an essential component of emergency medicine,” the provider said amid the outages. “I had a patient this evening who we could not do an X-ray for, who absolutely should have had one. He is OK but that is just one example.”

The provider attributed the challenges to the “appalling” IT system. Even when staff and clinicians are doing the best to look out for patients, tech challenges impede their success. He further noted that “there are no robust systems in place to deal with blackouts like this, information-sharing is hard enough in a clinical environment when everything works.”

When IT is down, test results are missed, care is delayed, and care transitions are much more difficult. Even if there are no clear forms of measurement for patient safety impacts, there’s also a lack of data to prove that safety isn’t affected during cyberattacks.

The June cyberattack on the University of Florida Health The Villages Regional Hospital and Leesburg Hospital confirmed the worst. To protect the systems after suffering a ransomware attack, the IT and security teams suspended access to system platforms, including those between the impacted hospitals and the UF campus. 

Officials repeatedly stated that patient care was not affected by the incident, but the employees and patients painted a different picture to the media: with no access to patient records, clinicians were unable to identify patient allergies and medication lists. Instead, hospital staff called pharmacies to obtain patient prescription details.

Patients were missing medications needed for their treatments, and, even worse, some individuals received medications intended for other patients. A week after the attack, an internal update from officials reminded providers of the importance of placing the right lab reports with the correct patient’s chart.

The situation highlights the disparities between PR messaging and the realities of those experiencing the situation on the ground.

Penny Chase, information technology and cybersecurity integrator for Mitre, recently confirmed there have certainly been instances where ransomware attacks led to patient safety issues. When patients are diverted, there are added wait times for receiving care and that time could prove critical, she explained. “But it’s hard to attribute this to the ransomware.”

The strongest data, arguably, on the impact of security disruptions on patient care was seen in a 2019 report published in Health Services Research (HSR) that concretely tied breach remediation efforts to decreased patient care outcomes and negative impacts to timeliness of care.

Ransomware was found to be more disruptive to care than typical breaches and an even greater short-term, adverse relationship with patient outcomes than with long-term remediation efforts. The research found ransomware negatively impacted the accuracy and timeliness of patient data to providers.

“Instances of unauthorized access suggest that existing systems may have weaknesses verifying provider or patient identity, which may increase the risk of a provider inadvertently accessing or editing information on the wrong patient,” researchers wrote at the time.

“Inaccuracies or delays in patient information resulting from changes or enhancements in security are likely to disrupt the care process and adversely affect patient outcomes,” they continued. “Downtimes in EHRs because of maintenance or malfunction have been associated with disruptions in laboratory and medication orders as a result of patient identification and communication problems.”

Further, previous data and reports frequently spotlight risks to patient safety by focusing on hypothetical situations, where an attacker could gain access to a vulnerable device and modify data or change the device function.

Although those are real and critical risks, Lerman said the more significant threat at the moment is an attacker cracking into legacy software and shutting down the provider network. The attack methods are simple, despite the availability and frequency of sophisticated tactics leveraged in many other sectors.

“Article after article, event after event, hospitals are getting attacked,” said Steve Smerz, Halo Health’s chief information security officer. “I start to wonder, just how effective [these processes] actually are inside to protect or defend. I get it, [hospitals] are lucrative targets. There’s a critical use case where patient lives are, in fact, being affected when these attacks occur.”

Consider the EHR system inside hospitals: the platform has become a behemoth where everything connects to it, he added. “If you can lock it up, you’ve basically broken every workflow out there.”

What matters most?

Two years after the HSR report, these issues persist. Most hospitals aren’t prepared to fend off ransomware, and there’s still no way to eliminate risk: providers instead need to determine the risk they’re willing to accept and implement tech and processes to secure the network.

In the simplest terms, patient safety emerges from effective network security practices, and quicker remediation. Providers therefore need to secure the “heartbeat” of the organization and make sure tech and devices are appropriately secured from a perimeter perspective, with firewalls, restricted access, and other access management processes, said Gary Brickhouse, healthcare cybersecurity advisor and chief information security officer of GuidePoint Security.

For Brickhouse, hospital security can be broken down into three key categories: prevention, containment, and recovery. As part of the prevention piece, providers must be able to understand their overall ransomware readiness through answers to core questions:

  • What key activities are needed to prevent ransomware from getting into the environment?
  • When an attacker or virus comes through, what is in place to contain it?
  • What strategies are needed to make the attack less impactful?
  • What systems and devices must be recovered first?

But threat actors are more than likely to get into the network, even when providers put forth best practice strategies. Brickhouse stressed that it means providers must have a detailed plan for the “firefight” that centers around the strategy team that enables fast, effective remediation to protect patient safety.

To understand whether an organization has the ability to quickly pivot after an event, explained Smerz, recommended the use of a third-party consultant that can help an entity assess its posture and find critical weaknesses.

But those assessments must have supported documentation or an understanding from the security team that can explain what assets are the most critical to patient care, as well as the tech that will be less likely to impact operations after an attack, he explained.

Consultants can “facilitate prompts to help people work through that thinking,” said Smerz. “Ultimately, it’s going to come down to understanding key resources inside of the organization.” The hard part is evaluating tech, services, and other devices that if the resource were compromised, could feel the impact.

“And if an attack happens within the clinical workflow or inside the delivery of care, what would happen to patients? Those are the hard questions to ask,” he added. Organizations “must get to the bottom of that because it will provide a prioritized list of what to sequence first and what items can be placed on the backburner.”

Focus on expedient recovery 

Having systems offline doesn’t just impact the entity’s ability to deliver a product. When patients are diverted, the stakes are obviously much higher, said Brickhouse. As such, recovery must be more than an afterthought when it comes to security.

Data backups and system restoration are obviously critical recovery pieces, but organizations must also understand their readiness to recover from an attack, explained Brickhouse. Those organizations that find themselves unprepared are most likely to pay the attackers after the attack to protect patients and expedite recovery — as their processes failed to give them the needed tools to do so on their own.

Recovery plans need to center on patient safety, and thus, an understanding of the critical processes that need to remain online after an attack in order to maintain safety standards. Mitre Health Cyber’s ransomware resource is an invaluable tool for providers looking to identify the crown jewels of the organization and the critical processes for maintaining operations.

The resource also includes tabletop exercises, as well as the elements needed for response plans. The goal is to be able to answer the hard questions:

  • How will prescriptions be filled?
  • Will some services be unavailable during a network outage?
  • How can some system functionality be maintained for customers?
  • How will the systems get back online?
  • How will established appointments be maintained during an attack?
  • If systems are down, what business processes are in place even when services can’t be fulfilled?
  • How and who will answer these questions for customers?

At the end of the day, providers need a detailed strategy able to answer and respond to these questions, explained Brickhouse. Decisions must be made on how these issues will be handled, especially around incident response in light of inevitable ransomware threats.

Margie Zuk, senior principal cybersecurity engineer for Mitre and the cyber engagement lead for health care in the Mitre Cyber Solutions Technical Center, recently stressed that the crucial piece in leveraging cybersecurity processes to effectively protect patient safety truly stems from the ability to recover quickly.

And to do that, entities must answer critical questions and bake those answers into an effective response plan. But providers can’t just write-up an incident response plan and put it on a shelf, the plans must be well-practiced and ingrained into the culture of the organization,  Zuk explained. It boils down to understanding and improving cyber capabilities.

“Again, standards are there around making sure data is backed up with the ability to restore and test those processes,” said Brickhouse. “From an incident response perspective, it’s the same thing: there’s a plan in place, with defined roles and responsibilities, tested over some period of time.”

Health care should take a page from the DevOps sector. Smerz explained that one of the basic elements in that realm is trying to eliminate risk by removing any single points of failure and creating redundant pathways for certain capabilities. For example, “if a computer goes sideways or dies, then another device can spin up and carry the load.”

For health care cybersecurity, the “continuity planning needs to start thinking similarly. Instead of trying to get everything in the same room and protect it, they need to think about redundancy and the ability to continue operations if something happens, he added.”

In the case of an EHR, redundancies would allow the provider to continue care on a separate infrastructure if the main platform is compromised. Although impossible for the entire infrastructure, services, and data, care operations could continue undisturbed by protecting critical workflows and viable pathways, thus protecting the safety of patients, stressed Smerz.

“Some day, there is going to be an unambiguously bad thing that happens, and it will be a wake-up call,” Chase concluded. “Most people who deeply care about this wish the health sector would get their act together before there’s a wake-up call.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.